Configure single sign-on (Office SharePoint Server)
Applies To: Office SharePoint Server 2007
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2016-11-14
Single sign-on (SSO) is a Microsoft Office SharePoint Server feature that provides storage and mapping of credentials such as account names and passwords. Using SSO, portal site–based applications can retrieve information from third-party applications and back-end systems such as Enterprise Resource Planning (ERP) and Customer Relations Management (CRM) systems.
The use of single sign-on functionality enables users to authenticate only once when they access portal site–based applications that need to obtain information from other business applications and systems.
Configuring single sign-on consists of five tasks:
Configure and start the Microsoft Single Sign-On service
Configure Single Sign-On for Office SharePoint Server 2007
Manage the encryption key
Manage enterprise application definitions
Manage account information for an enterprise application definition
Note that you must be logged into the SharePoint Central Administration Web site on a farm server to configure single sign-on (SSO) for Office SharePoint Server 2007. If you attempt to configure SSO on a workstation or any computer that is not a farm server, you will see an error message that reads "Single sign-on cannot be configured from this server. To configure single sign-on, go to the computer running the single sign-on service and specify these settings locally."
Follow the procedures in the sections that follow to configure SSO for your Office SharePoint Server 2007 environment.
Configure and start the Microsoft Single Sign-On service
To use single sign-on, the Microsoft Single Sign-On service (SSOSrv) must be installed on all Microsoft Windows front-end Web servers in the farm. SSOSrv must also be installed on all servers running Excel Services. If the Business Data Catalog search is used, SSOSrv must also be installed on the index server.
SSOSrv is configured by using the Services console. When configuring the service, a logon account is required. The logon account must meet all of the following criteria:
Must be a domain user account. It cannot be a group account.
Must be an Office SharePoint Server farm account.
Must be a member of the local Administrators group on the encryption-key server. (The encryption-key server is the first server on which you start SSOSrv.)
Must be a member of the Security Administrators role and db_creator role on the computer running Microsoft SQL Server.
Must be either the same as the single sign-on administrator account, or a member of the group account that is the single sign-on administrator account.
Configure and start the Microsoft Single Sign-On service
On the server, click Start, Control Panel, Administrative Tools, and then click Computer Management.
In the Computer Management console, expand Services and Applications, and then click Services.
Right-click Microsoft Single Sign-On Service, and then choose Properties.
On the General tab, change the Startup type to Automatic.
On the General tab, under Service Status, click Start.
Click OK to save your changes and close the Properties window.
Repeat steps 1 through 6 for each applicable server in the farm.
Configure Single Sign-On for Office SharePoint Server 2007
Managing server settings for single sign-on includes specifying the appropriate administrator accounts, the single sign-on database server and server name, and time-out and audit log settings.
Note
You must open Central Administration on the computer that runs Office SharePoint Server 2007 to manage server settings for single sign-on.
Configure SSO for Office SharePoint Server 2007
On Central Administration, on the top navigation bar, click Operations.
On the Operations page, in the Security Configuration section, click Manage settings for single sign-on.
On the Manage Settings for Single Sign-On page, in the Server Settings section, click Manage server settings.
On the Manage Settings for Single Sign-On page, in the Account name box in the Single Sign-On Administrator Account section, type the single sign-on administrator account name by using the form domain/group or domain/username.
Note
The single sign-on administrator account specifies the set of people who can create, delete, or modify application definitions. The administrator account can also back up the encryption key.
The user or group that you specify as the single sign-on administrator must be all of the following:
Either a Windows global group or an individual user account. This account cannot be a domain local group account or a distribution list.
The same account as the single sign-on service account, if a user is specified. If a group is specified, the single sign-on service account must be a member of that group.
The same as the configuration account for single sign-on, if a user is specified. If a group is specified, the configuration account for single sign-on must be a member of that group.
A member of the Farm Administrators group on Central Administration.
If a group is specified, all users who are added to the group for the purpose of administering single sign-on must be members of the local Administrators group on the encryption-key server. Do not make this account a member of the local Administrators group on the encryption-key server.
In the Enterprise Application Definition Administrator Account section, in the Account name box, type the account name of the group or user who can set up and manage enterprise application definitions. Type the name by using the form domain/group or domain/username.
The enterprise application definition administrator account can manage credentials of an enterprise application definition, including changing the password of a group enterprise application definition and changing or deleting credentials for an individual enterprise application definition.
The user or group that you specify must be the following:
Either a Windows global group or an individual user account. This account cannot be a domain local group account or a distribution list.
A member of the Reader SharePoint group on Central Administration.
In the Database Settings section, in the Server name box, type the NetBIOS name of the single sign-on database server (for example, computer_name or computer_name\SQL_Server_instance). Do not type the fully qualified domain name.
In the Database name box, enter the name of the single sign-on database server.
Note
Unless you are pre-creating databases, we recommend that you use the default database server and single sign-on database server.
In the Time Out Settings section, in the Ticket time out (in minutes) box, type a value for how many minutes passes before a single sign-on ticket expires. The time-out should be long enough to last between the time that the ticket is issued and the time that the enterprise application redeems the ticket. Two minutes is the recommended value.
In the Delete audit log records older than (in days) box, type a value for how many days the audit log holds records before deleting them.
Click OK.
Manage the encryption key
The first server that SSOSrv is enabled on becomes the encryption-key server. The encryption-key server generates and stores the encryption key. The encryption key is used to encrypt and decrypt the credentials that are stored in the SSO database.
Because the encryption key protects security credentials, we recommend that you create a new encryption key on a regular schedule (for example, every 90 days). We also recommend that you create a new encryption key immediately if you suspect that account credentials have been compromised.
The encryption key must be backed up each time a new key is created. You do not need to back up the encryption key at any other time (except when you are moving the encryption-key server role from one server to another). You must back up the encryption key from the encryption-key server locally; the key cannot be backed up remotely.
You can also use encryption key backup and restore to move the encryption-key server role from one server to another. (Other tasks must also be completed to move the encryption-key server role.)
Note
You must open Central Administration on the computer that runs Office SharePoint Server 2007 to manage the encryption key.
Manage the encryption key
On Central Administration, on the top navigation bar, click Operations.
On the Operations page, in the Security Configuration section, click Manage settings for single sign-on.
On the Manage Settings for Single Sign-On page, in the Server Settings section, click Manage encryption key.
From the Manage Encryption Key page, you can perform three management tasks:
Create a new encryption key
Back up an encryption key
Restore an encryption key
Create a new encryption key
On the Manage Encryption Key page, in the Encryption Key section, click Create Encryption Key.
On the Create Encryption Key page, select the Re-encrypt all credentials by using the new encryption key check box.
Important
If you do not re-encrypt the existing credentials with the new encryption key, users must retype their credentials for individual application definitions, and administrators must retype group credentials for group application definitions.
Click OK.
Back up an encryption key
On the Manage Encryption Key page, in the Drive list in the Encryption Key Backup section, click the removable media drive on which you want to store the encryption-key backup.
Click Back Up.
Restore an encryption key
You should always back up the encryption key when you back up the single sign-on database, because the database is useless without the encryption key. Also, before you replace an encryption-key server, make sure to back up the encryption key so that it can be restored on the new encryption-key server.
On the Manage Encryption Key page, in the Drive list in the Encryption Key Restore section, click the removable media drive from which you want to restore the encryption-key backup.
Click Restore.
Manage enterprise application definitions
In the single sign-on environment, the back-end external data sources and systems are referred to as enterprise applications. For each enterprise application that Office SharePoint Server 2007 connects to, a corresponding enterprise application definition needs to be configured.
On Central Administration, on the top navigation bar, click Operations.
On the Operations page, in the Security Configuration section, click Manage settings for single sign-on.
On the Manage Settings for Single Sign-On page, click Manage settings for enterprise application definitions.
Manage account information for an enterprise application definition
If you are using a group to connect to the enterprise application, you need to provide account credentials for the group to use. If individual users are connecting directly to the enterprise application, you can preset or reset user passwords, or you can delete users from the enterprise application definition.
On Central Administration, on the top navigation bar, click Operations.
On the Operations page, in the Security Configuration section, click Manage settings for single sign-on.
On the Manage Settings for Single Sign-On page, in the Enterprise Application Definition Settings section, click Manage account information for enterprise application definitions.
On the Manage Account Information for an Enterprise Application Definition page, in the Enterprise application definition list in the Account Information section, click the application definition for which you want to manage account information.
In the Group account name box, type the name of the group that is allowed access to the enterprise application.
In the Enterprise Application Definition section, select one of the following:
Option Purpose Update account information
Enter credentials for the first time or update the credentials used to connect to the enterprise application.
Delete stored credentials for this account from this enterprise application definition
Delete the credentials currently used to connect to the enterprise application.
Delete stored credentials for this account from all enterprise application definitions
Delete the credentials currently used to connect the selected enterprise application from all enterprise application definitions. Deleting stored credentials deletes credentials only for individual accounts; it does not delete credentials for group accounts.
If you select Update account information, complete the following steps:
Click Set.
On the Provide Account Information page, in the Logon Information section, type the user name and password of the account that will be used to connect to the enterprise application.
Click OK.
Click Done.
Download this book
This topic is included in the following downloadable book for easier reading and printing:
See the full list of available books at Office SharePoint Server technical library.